Please guide/suggest me how i can resolve above vulnerabilities, do i need to upgrade Tomcat if yes then to which version i need to upgrade as currently i have the tomcat which comes with the CLM 5.0.2 as a bundled. need your help over this urgently .

One answer

I would suggest upgrade to the latest available version of tomcat in the same release. I.e. if Tomcat is 7.0.XX go to tomcat.apache.org, find the most recent package for your platform. You cannot just drop the new version onto the existing one as the CLM setup will be lost. Here's how I've upgraded Tomcat from the default provided in the CLM package:

Stop the CLM application server ( tomcat )

copy or move the tomcat/conf/server.xml, your certificate file and the tomcat/webapps directory to a location "above" the tomcat directory

unpack the downloaded tomcat package in the <jazz_install>/server/ directory. I think it will create a directory with apache-tomcat-Vers as the name. Rename the old tomcat directory, then rename the new directory tomcat

Move replace the tomcat/conf/server.xml with the one you saved, also move the certificate file to its original location. Also put the webapps dir back under tomcat directory

I wrote the above from memory and it has been over one year since we used Tomcat. Search this forum or the library for explicit instructions.

You can also search google for the exact phrases of all 4 of your entries and find references. e.g.

https://tomcat.apache.org/security-7.html

The RC4 will not be fixed by any upgrade, rather one must exclude (delete) those ciphers in the tomcat/conf/server.xml file.

I'm surprised the McAfee does not also provide a CVE reference which would give more precise descriptions/remediation of its findings.

No issue i will search for more accurate steps to upgrade Tomcat of CLM

Secondly, regarding RC4 could you please elaborate more like in the "Tomcat/conf/server.xml" file what exactly i need to delete ? what i can not delete ? just a bit more elaboration regarding this would be great for me as it would be first time will be deleting anything from server.xml and if i do anything wrong then it will become another issue for me